Xoxoday Plum APIs and services enforce HTTPS and TLS 1.3 for all data in transit, ensuring encrypted, tamper-resistant communication across every integration and endpoint.
Secure by Default: HTTPS and TLS 1.3
Xoxoday Plum enforces HTTPS across all API endpoints and web services. Every request — whether initiated by a user logging into the dashboard or by an automated integration calling the rewards API — travels over an encrypted connection, with no fallback to unencrypted HTTP permitted. The underlying encryption standard is TLS 1.3, the latest version of Transport Layer Security ratified by the IETF. Compared to earlier versions, TLS 1.3 eliminates legacy cipher suites with known vulnerabilities, reduces the handshake overhead needed to establish a secure session, and provides stronger forward secrecy guarantees. This means that even if a single session key were ever exposed, past communications remain fully protected.Why This Matters for Enterprise Integrations
When your organisation connects Xoxoday Plum to tools such as Slack, Microsoft Teams, Workday, SAP SuccessFactors, or Darwinbox, data moves between systems continuously — employee records, reward triggers, approval events, and redemption confirmations. Each of these exchanges travels over TLS 1.3, keeping sensitive information encrypted from source to destination regardless of the network path involved. For IT and security teams running vendor risk assessments, protocol-level encryption is a foundational baseline requirement. It ensures data cannot be intercepted or silently altered in transit, which is especially critical for integrations that carry personally identifiable information or financial reward values.Alignment with ISO 27001 and SOC 2 Type II
Using current, secure protocols is a key technical control under widely recognised security frameworks. Xoxoday Plum’s enforcement of HTTPS and TLS 1.3 aligns with requirements documented in ISO 27001 Annex A and is audited as part of Xoxoday Plum’s SOC 2 Type II assessment scope. Organisations operating under these frameworks can reference this directly in their third-party vendor risk documentation. For teams in regulated industries — financial services, healthcare, or public sector — this is particularly relevant. Protocol compliance is frequently a non-negotiable line item in vendor security questionnaires, and Xoxoday Plum meets the current industry bar.What Your IT Team Can Verify
Your IT or security team can independently confirm TLS 1.3 support using standard tooling such as SSL Labs. Xoxoday Plum does not support deprecated protocols like TLS 1.0 or TLS 1.1, both of which have been formally deprecated by the IETF and are excluded from modern compliance benchmarks. If your organisation requires a completed security questionnaire or evidence documentation covering protocol standards, this can be requested through the standard vendor onboarding process. Learn more: [Xoxoday Plum Help Centre — General](How does Xoxoday Plum encrypt data at rest?
Learn how Xoxoday Plum protects stored data using AES-256 encryption across its infrastructure.
Is Xoxoday Plum SOC 2 Type II certified?
Understand the scope and controls covered by Xoxoday Plum’s SOC 2 Type II certification.